What actually is “the human aspect of cyber security”?

The definition of the human aspect of cyber security is changing. Here’s what it means in a traditional sense, as well as what it will mean in the future

As today’s CISOs will know, cyber security strategies are typically sub-divided into sections on technology, processes and the human aspect of cyber security.

Definitions of both technology and processes are relatively uniform. The human aspect, however, is unique. Unlike its counterparts, the human aspect of cyber security can actually mean different things to different people.

The traditional definition

To some – maybe even most – the human aspect of cyber security refers to the risks posed to an organisation when people, affiliated with that organisation, interact with technology. Most of the time, the people in question will be employees – but they could also be suppliers, or any other third party with legitimate access to an organisation’s network.

The definition conjures up images of malicious actors, but the human aspect of cyber security, of course, refers to both malicious actors and the well-meaning people who could unintentionally cause issues.

The human aspect: an example

The case of Evaldas Rimasauskas, in which Rimasauskas reportedly stole more than $100m from companies including Facebook and Google, is a well-cited example.

According to reports, Rimasauskas stole the money not through malicious software or by conspiring with insiders, but through an elaborate scam that eventually convinced well-meaning people into sending the funds his way.

The problem with the traditional definition

Tales such as the above lead to some understandable – but questionable – security terminology.

For example, they cause some security professionals to refer to well-meaning people as a “weakness” and a security “threat”. And thus, when some talk of the human aspect of cyber security, they focus only on mitigating risks.

On closer inspection, though, the traditional definition is odd. The definition seems to suggest that, somehow, an organisation’s own people are conspiring to take down their employer from the inside out.

Setting aside a small minority of deliberately malicious actors, that’s not quite accurate. After all, an organisation’s own people surely prevent more attacks than they cause.

Every time someone ignores a phishing email, for example, they keep a network secure. Every time someone locks their computer screen before heading out to lunch, they prevent potential unauthorised access.

Every time someone uses multi-factor authentication, or swerves a website following a security warning, or updates software to patch vulnerabilities, they keep their networks secure.

And so, in more and more circles, the human aspect of cyber security is beginning to take on a new meaning.

A different meaning

Given people’s unique ability to actively prevent attacks, more and more security professionals are beginning to see people not as a weakness but a defence. That changes what we really mean by the human aspect of cyber security.

Traditionally, the human aspect of cyber security referred solely to the risks posed by people. Increasingly, it refers not just to the risks posed by people but also to the additional defences security-conscious people can implement.

It’s the latter definition that will inform the content of PeepSec, a free, 5-day virtual summit on the people, the culture and the social aspects of cyber security, which is taking place entirely online this June.

During the summit, we won’t simply be discussing how we can mitigate the risks posed by people. Leading speakers will also move the conversation forward, and discuss how we make the most of people as a defence. We’ll be discussing the human aspect of cyber security as a whole.